Added a test case where useFragment from react-relay should be marked as a source but isn't

Author: Napalys

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx

@@ -0,0 +1,22 @@
+import React from 'react';
+import { useFragment } from 'react-relay';
+
+const CommentComponent = ({ commentRef }) => {
+  const commentData = useFragment(
+    graphql`
+      fragment CommentComponent_comment on Comment {
+        id
+        text
+      }
+    `,
+    commentRef
+  ); // $ MISSING: Source=[js/xss]
+
+  return (
+    <div>
+      <h3>Comment:</h3>
+      {/* Directly rendering user input without sanitation */}
+      <p dangerouslySetInnerHTML = {{ __html: commentData.text}}> {commentData.text}</p> // $ MISSING: Alert=[js/xss]
+    </div> 
+  );
+};